Archive for May, 2013

I often see my customers running things other than Active Directory Domain Services (ADDS) on Domain Controllers. These can range from the relatively innocuous (KMS) to the downright ludicrous (Exchange). Until now, I haven’t been able to point to anything official from Microsoft to state that this is not a good idea. Anyway, fellow Directory Services MVP Joe “Won’t Leave The Shire” Richards recently found this guidance in the new Best Practices for Securing Active Directory:

Domain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks.

Something I’ve noticed in the on-line forums is that people are still advising others to use NTDSUTIL to perform a metadata cleanup to remove references to Domain Controllers that have been removed from AD without using DCPROMO (e.g. following a DC failure where demotion was not possible). Since Windows Server 2008 it has been possible to perform the metadata cleanup simpy by deleting the Domain Controller object using Active Directory Users and Computers.

You probably know this, but for some reason I only found out about it when someone showed it to me the other day. Anyway, in the interests of sharing….

A really quick way to find the domain password and account lockout policy is to run the following from a CMD prompt:

net accounts

The output looks like this:

One thing you should bear in mind is that the output doesn’t take into account any Fine Grained Password Policies that may apply to your account. In other words, it is simply the output of the password and account lockout policy set at the domain level (usually in the Default Domain Policy) and not the resultant set of policies.